If your business or organization operates in the healthcare space, you are most probably familiar with HIPAA (Health Insurance Portability and Accountability Act). It was introduced by Congress in 1996, to safeguard the interest of the patients, providing a national standard to protect medical records and other personal health information. It covers identifiable information in any form, electronic or non-electronic and can also cover medical devices which store patient data.
Why is HIPAA so important now?
With healthcare systems under unprecedented strain due to the Coronavirus crisis, cyber criminals are taking full advantage. From phishing e-mails purportedly from key health institutions, to full-on cyber-attacks targeting major hospitals, hackers have the health industry firmly in their sites. With people desperate for information, new scams and breaches are constantly evolving, endangering personal health information and data. Complying with HIPAA has perhaps never been so challenging.
Who must comply with HIPAA?
The goal of HIPAA is to protect the medical records and personal health information of patients, while at the same time allowing them to receive the health care they require. In addition to individuals or bodies responsible for raw patient information, HIPAA also covers medical devices which can store, analyze and transmit patient data. Consequently, the demands of HIPAA must be followed by the following:
Health insurance companies
Company health plans
Some government programs (like Medicare and Medicaid)
Doctors, psychologists, chiropractors, and dentists
Hospitals, nursing homes, pharmacies, and clinics
Medical device manufacturers
Entities which have legitimately received the medical histories of patients
These are known as “covered entities”. Importantly, individuals such as directors, employees or officers of a “covered entity” may also be directly criminally liable under HIPAA.
How do you comply with HIPAA?
The key here is the Security Rule within HIPAA. This sets out the standards and processes that those in the health industry should follow to adequately protect data and information. They include the following:
Risk Analysis: An ongoing evaluation of the likelihood and impact of potential risks to data, plus selecting, documenting and maintaining appropriate security measures.
Administrative Safeguards: A security official should be designated, while staff must be adequately trained in policies and procedures.
Physical Safeguards: Procedures regarding workstations and devices. Who can work on them and how.
Technical Safeguards: Procedures on hardware, software, and mechanisms to record data and information. Who has access to them and how to use them.
The price on non-compliance
In today’s challenging times, it is all too easy for those in the healthcare industry to take their eye off the ball and fall foul of HIPAA requirements. The consequence of this can be very expensive, with heavy fines even for those who unwittingly fail to comply.
Unknowing Violation: $100 to $50,000 per record if the provider didn’t know or couldn’t have known of the breach
Reasonable Cause: $1,000 to $50,000 per record if the provider knew or should have known with reasonable diligence (like repeat violations)
Willful Neglect: $10,000 to $50,000 per record if the provider acted with willful neglect and corrected the problem within 30 days.
Uncorrected Willful Neglect: $50,000 to $1.5 million if the provider acted with willful neglect and didn’t correct the violation in 30 days.
It is well worth noting, that “knowingly” obtaining or disclosing personal health information can result in imprisonment.
So even in this age of uncertainty, when businesses and organizations have so much to contend with, HIPAA compliance is key. With bad cyber actors increasingly looking for new ways to exploit the COVID-19 crisis, now is the time to plan how to review your systems and procedures.